0

Is interacting with the database in BreezeJS secure?

For example, if I use the following code, it clearly shows the Database name, tables and the query itself directly in the javascript. Does it make a secure connection to the database?

var manager = new breeze.EntityManager('api/northwind');

var query = new breeze.EntityQuery()
    .from("Employees");

manager.executeQuery(query).then(function(data){
    ko.applyBindings(data);
}).fail(function(e) {
    alert(e);  
});
Matt Hulse
  • 5,496
  • 4
  • 29
  • 37
Raed Alsaleh
  • 1,581
  • 9
  • 27
  • 50
  • Checking the docs, it feels as if you're looking for `var query=breeze.EntityQuery.from("Employees");` and `var manager=breeze.EntityManager('api/northwind');` – Khez Feb 13 '13 at 06:52
  • Let's be very clear: the "Employees" in the query is the **resource name**, not the database table name. The fact that the data for that resource come from the database table whose name is also "Employees" is purely coincidental. The resource could have been called "Foos". Of course there is a natural tendency for entity, table, and service names to be the same. But that is the developer's choice. The same goes for the controller name matching the database name. – Ward Feb 14 '13 at 06:16

2 Answers2

4

The line "var manager = new breeze.EntityManager('api/northwind');" doesn't says anything about the database. It is the route to the MVC controller ( webapi in this case ).

And the line "var query = new breeze.EntityQuery().from("Employees");" does not have any relation to the database, it's the name of a methd in you controller.

Having in consideration that you can use the mechanics that mvc provides to securize the controller ( like the Authorize attribute ), I don't see any risk using breeze.

Julián Yuste
  • 1,472
  • 10
  • 22
  • Bingo. The place to block unauthorized access to customers is on the server using secure controller methods. I found Ward's answer here helpful: http://stackoverflow.com/questions/13662496/how-is-breeze-js-handling-security-and-avoiding-exposing-business-logic?rq=1 – John Feb 13 '13 at 18:21
2

The security of breeze.js in the end falls to the programming language used to actually run the queries. As I saw in the docs, it's mainly for ASP.

Checking the TODO sample, doing an action calls /api/todos/SaveChanges with a payload of:

{
    "entities": [{
        "Id": 2908,
        "Description": "Wine",
        "CreatedAt": "2012-08-22T09:06:00.000Z",
        "IsDone": true,
        "IsArchived": false,
        "entityAspect": {
            "entityTypeName": "TodoItem:#Todo.Models",
            "entityState": "Modified",
            "originalValuesMap": {
                "IsDone": false
            },
            "autoGeneratedKey": {
                "propertyName": "Id",
                "autoGeneratedKeyType": "Identity"
            }
        }
    }],
    "saveOptions": {
        "allowConcurrentSaves": false
    }
}

The only sensitive thing there is the Id. Even if you don't use JavaScript you still have to expose some data in one way or another. I'm not saying this is best way of doing it, but this does not have any immediate drawbacks that I can think of. At least not in the JS component.

It falls on behalf of the application (just like in any situation) to sanitize any input from users. This includes any AJAX calls, be it done with breeze or not.

If you can comment with some of the ASP code used to sanitize/run the queries, we can offer more insight on the matter.

So in summary. No issues. JavaScript by itself does NOT connect to the database so it does not have any inherent security issues.

Khez
  • 10,172
  • 2
  • 31
  • 51